[ https://issues.apache.org/jira/browse/YARN-4737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15177543#comment-15177543 ]
Varun Vasudev commented on YARN-4737: ------------------------------------- Thanks for the updated patch Jon. Some more fixes required - 1) In WebApps.java - {code} + Map<String, String> params = getCsrfConfigParameters(); + if (hasCSRFEnabled(params)) { + LOG.info("CSRF Protection has been enabled for the {} application. " + + "Please ensure that there is an authentication mechanism " + + "enabled (kerberos, custom, etc).", + name); + String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); + HttpServer2.defineFilter(server.getWebAppContext(), restCsrfClassName, + restCsrfClassName, params, + new String[] {"/*"}); + } {code} should be before {code} HttpServer2.defineFilter(server.getWebAppContext(), "guice", GuiceFilter.class.getName(), null, new String[] { "/*" }); {code} The guice filter redirects the request to the appropriate handler and the requests get executed before going through the CSRF filter. 2) The JHS configs in mapred-default.xml start with the prefix - mapreduce.jobhistory.webapp but the prefix used in code is mapreduce.jobhistory (no webapp) - I think you need to create a mapreduce.jobhistory.webapp prefix in the code. 3) In yarn-default.xml, all the timeline service configs have an extra "." in them after "yarn.timeline-service". e.g. yarn.timeline-service..webapp.rest-csrf.methods-to-ignore The failing tests and ASF warnings are unrelated to the patch. > Use CSRF Filter in YARN > ----------------------- > > Key: YARN-4737 > URL: https://issues.apache.org/jira/browse/YARN-4737 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager, resourcemanager, webapp > Reporter: Jonathan Maron > Assignee: Jonathan Maron > Attachments: YARN-4737.001.patch, YARN-4737.002.patch > > > A CSRF filter was added to hadoop common > (https://issues.apache.org/jira/browse/HADOOP-12691). The aim of this JIRA > is to come up with a mechanism to integrate this filter into the webapps for > which it is applicable (web apps that may establish an authenticated > identity). That includes the RM, NM, and mapreduce jobhistory web app. -- This message was sent by Atlassian JIRA (v6.3.4#6332)